Big code change & refactoring commit

Move `token` into user module for lockchain-core. Start work on
a PAM authentication module which replaces the second layer
UserStore in API layer state (http being the only one for now).

This brings the `nix` and `pam-auth` dependencies, which unfortunately
currently don't work :(

9 files changed, 160 insertions, 12 deletions

diff --git a/Cargo.lock b/Cargo.lock
index 1cc98a3..ae40581 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -837,6 +837,8 @@ dependencies = [
  "blake2 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "chrono 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "keybob 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "nix 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "pam-auth 0.5.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "rand 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 1.0.66 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde_derive 1.0.66 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -1013,6 +1015,18 @@ dependencies = [
 ]
 
 [[package]]
+name = "nix"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cc 1.0.17 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cfg-if 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
+ "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
 name = "nodrop"
 version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1052,6 +1066,24 @@ dependencies = [
 ]
 
 [[package]]
+name = "pam-auth"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
+ "pam-sys 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "users 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "pam-sys"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
 name = "parking_lot"
 version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1780,6 +1812,14 @@ dependencies = [
 ]
 
 [[package]]
+name = "users"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
 name = "utf8-ranges"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1995,12 +2035,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum miow 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8c1f2f3b1cf331de6896aabf6e9d55dca90356cc9960cca7eaaf408a355ae919"
 "checksum miscreant 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "345b52b06ce7a0e2fab0a0ea99ef52e81d63102ba0425b2914f1867b9d820628"
 "checksum net2 0.2.32 (registry+https://github.com/rust-lang/crates.io-index)" = "9044faf1413a1057267be51b5afba8eb1090bd2231c693664aa1db716fe1eae0"
+"checksum nix 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d37e713a259ff641624b6cb20e3b12b2952313ba36b6823c0f16e6cfd9e5de17"
 "checksum nodrop 0.1.12 (registry+https://github.com/rust-lang/crates.io-index)" = "9a2228dca57108069a5262f2ed8bd2e82496d2e074a06d1ccc7ce1687b6ae0a2"
 "checksum num-integer 0.1.39 (registry+https://github.com/rust-lang/crates.io-index)" = "e83d528d2677f0518c570baf2b7abdcf0cd2d248860b68507bdcb3e91d4c0cea"
 "checksum num-traits 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "630de1ef5cc79d0cdd78b7e33b81f083cbfe90de0f4b2b2f07f905867c70e9fe"
 "checksum num_cpus 1.8.0 (registry+https://github.com/rust-lang/crates.io-index)" = "c51a3322e4bca9d212ad9a158a02abc6934d005490c054a2778df73a70aa0a30"
 "checksum opaque-debug 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "d620c9c26834b34f039489ac0dfdb12c7ac15ccaf818350a64c9b5334a452ad7"
 "checksum owning_ref 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "cdf84f41639e037b484f93433aa3897863b561ed65c6e59c7073d7c561710f37"
+"checksum pam-auth 0.5.4 (registry+https://github.com/rust-lang/crates.io-index)" = "786ab196f56a77935a235ec5d8f0bf1755343528a8699273a14ed4891be284e3"
+"checksum pam-sys 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)" = "a7710a1234438b6358315b14fc5f56c5af8f8b6d93515281053af5257ad848a6"
 "checksum parking_lot 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)" = "d4d05f1349491390b1730afba60bb20d55761bef489a954546b58b4b34e1e2ac"
 "checksum parking_lot_core 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)" = "4db1a8ccf734a7bce794cc19b3df06ed87ab2f3907036b693c68f56b4d4537fa"
 "checksum pbkdf2 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "6d389750af68dcb6d6b2d6cf4aa234d2929b311a31a74aa8bb33e13a27784b8d"
@@ -2085,6 +2128,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum unreachable 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "382810877fe448991dfc7f0dd6e3ae5d58088fd0ea5e35189655f84e6814fa56"
 "checksum untrusted 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "f392d7819dbe58833e26872f5f6f0d68b7bbbe90fc3667e98731c4a15ad9a7ae"
 "checksum url 1.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "f808aadd8cfec6ef90e4a14eb46f24511824d1ac596b9682703c87056c8678b7"
+"checksum users 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e7d8fb16f17ce0e6a18a25ce39f08edb5fbe9a25f3f346c9dca5e6ffc0485cdf"
 "checksum utf8-ranges 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "662fab6525a98beff2921d7f61a39e7d59e0b425ebc7d0d9e66d316e55124122"
 "checksum uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)" = "e1436e58182935dcd9ce0add9ea0b558e8a87befe01c1a301e6020aeb0876363"
 "checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
diff --git a/lockchain-core/Cargo.toml b/lockchain-core/Cargo.toml
index cfddc0f..87d3f65 100644
--- a/lockchain-core/Cargo.toml
+++ b/lockchain-core/Cargo.toml
@@ -14,6 +14,9 @@ serde_derive = "1.0"
 serde_json = "1.0"
 serde = "1.0"
 
+nix = "0.11"
+pam-auth = "0.5"
+
 base64 = "0.8"
 bcrypt = "0.2"
 rand = "0.4"
diff --git a/lockchain-core/src/auth.rs b/lockchain-core/src/auth.rs
new file mode 100644
index 0000000..eceece0
--- /dev/null
+++ b/lockchain-core/src/auth.rs
@@ -0,0 +1,88 @@
+//! Provides an authentication module backed by PAM
+//!
+//! The way a user is authenticated is via the `lockchain` group
+//! and a simple writing/ deleting of a lock file.
+
+use nix::sys::wait::*;
+use nix::unistd::{fork, ForkResult};
+
+use pam_auth::{self, Authenticator, PamError, Result as PamResult};
+
+#[derive(Debug)]
+pub enum AuthError {
+    FailedFork,
+    FailedPAM,
+    InvalidUser,
+    UserNotAuthorised,
+}
+
+/// Simple way to authenticate a user for administrative actions
+/// 
+/// Attempts to open a PAM session for the provided user/pw combination
+/// then attempts to write to a tmpfile in the lockchain config directory.
+/// If this action is successful the user is either the same running the
+/// lockchain server *or* has access to the file via group permissions.
+/// 
+/// This does rely on `lockchain` being properly configured on the server
+/// i.e. not using public permissions for the configuration/ state directory.
+/// 
+/// **Note** as of `lockchain v0.9.0` this function has not been implemented
+/// yet due to issues in the `pam-auth` dependency.
+#[allow(unused_variables)]
+pub fn pam_authenticate(username: &str, password: &str) -> Result<(), AuthError> {
+    Err(AuthError::FailedPAM)
+
+
+    // match fork().map_err(|_| AuthError::FailedFork)? {
+    //     ForkResult::Parent { child } => {
+    //         waitpid(child, None).unwrap();
+    //         // kill(child, SIGKILL).expect("kill failed");
+    //     }
+    //     ForkResult::Child => {
+    // let mut auth = Authenticator::new("lockchain").ok_or(AuthError::FailedPAM)?;
+
+    // use std::error::Error;
+    // let service = "login";
+
+    // println!("Username: {}", username);
+    // println!("Password: {}", password);
+    // println!("Service:  {}", service);
+
+    // let mut auth = Authenticator::new(service).unwrap();
+    // auth.set_credentials(username, password);
+
+    // match auth.authenticate() {
+    //     Ok(()) => println!("authenticate() OK!"),
+    //     Err(e) => {
+    //         println!("authenticate() FAILED!");
+    //         println!("{}", e.description());
+    //         println!("{:#?}", e.cause());
+    //     }
+    // }
+
+    // match auth.open_session() {
+    //     Ok(()) => println!("open_session() OK!"),
+    //     Err(e) => {
+    //         println!("open_session() FAILED!");
+    //         println!("{}", e.description());
+    //         println!("{:#?}", e.cause());
+    //     }
+    // }
+
+    // auth.set_credentials(username, password);
+    // auth.authenticate().map_err(|_| AuthError::InvalidUser)?;
+    // auth.open_session().map_err(|_| AuthError::FailedPAM)?;
+
+    // use std::process::Command;
+    // let output = Command::new("su")
+    //     .arg(username)
+    //     .output()
+    //     .expect("failed to execute process");
+    // println!("whoami: {:#?}", String::from_utf8(output.stdout).unwrap());
+
+    // ::std::process::exit(255);
+    //     }
+    // }
+
+    // Ok(())
+}
diff --git a/lockchain-core/src/lib.rs b/lockchain-core/src/lib.rs
index 465f145..2c5b0d7 100644
--- a/lockchain-core/src/lib.rs
+++ b/lockchain-core/src/lib.rs
@@ -1,7 +1,6 @@
 //! Common library types used in lockchain crates
 #![feature(external_doc)]
 #![doc(include = "../README.md")]
-#![feature(non_modrs_mods)]
 
 #[macro_use]
 extern crate serde_derive;
@@ -13,6 +12,8 @@ extern crate base64;
 extern crate blake2;
 extern crate rand;
 extern crate keybob;
+extern crate nix;
+extern crate pam_auth;
 
 pub mod errors;
 pub mod traits;
@@ -20,7 +21,9 @@ pub mod crypto;
 pub mod users;
 mod meta;
 mod record;
+mod auth;
 
 pub use self::crypto::PackedData;
 pub use self::record::{Header, Payload, Record, EncryptedBody};
 pub use self::meta::{MetaDomain, VaultMetadata};
+pub use self::auth::pam_authenticate;
\ No newline at end of file
diff --git a/lockchain-core/src/traits.rs b/lockchain-core/src/traits.rs
index 96a2034..4e66d8f 100644
--- a/lockchain-core/src/traits.rs
+++ b/lockchain-core/src/traits.rs
@@ -178,3 +178,15 @@ impl Base64AutoEncoder for String {
         String::from_utf8(base64::decode(base64).unwrap()).unwrap()
     }
 }
+
+impl Base64AutoEncoder for Vec<u8> {
+    /// Automatically encode this string to base64
+    fn to_base64(&self) -> String {
+        base64::encode(self)
+    }
+
+    /// Craft a string from an existing base64 string slice
+    fn from_base64(base64: &str) -> String {
+        String::from_utf8(base64::decode(base64).unwrap()).unwrap()
+    }
+}
diff --git a/lockchain-core/src/users.rs b/lockchain-core/src/users/mod.rs
index ab40c43..29be002 100644
--- a/lockchain-core/src/users.rs
+++ b/lockchain-core/src/users/mod.rs
@@ -13,8 +13,8 @@
 //! `User` is also a serialisable struct which contains important
 //! data to load and store them into a metadata store.
 
-mod auth;
-pub use self::auth::Token;
+mod tokens;
+pub use self::tokens::Token;
 
 use crypto::{encoding, hashing, random};
 use std::collections::HashMap;
diff --git a/lockchain-core/src/users/auth.rs b/lockchain-core/src/users/tokens.rs
index e6e4854..e6e4854 100644
--- a/lockchain-core/src/users/auth.rs
+++ b/lockchain-core/src/users/tokens.rs
diff --git a/lockchain-http/src/state.rs b/lockchain-http/src/state.rs
index 9a5b4ba..650660f 100644
--- a/lockchain-http/src/state.rs
+++ b/lockchain-http/src/state.rs
@@ -1,5 +1,4 @@
 use lockchain::traits::{AutoEncoder, Body, FileIO, Vault};
-use lockchain::users::{User, UserStore};
 
 use std::collections::HashMap;
 use std::marker::PhantomData;
@@ -34,14 +33,14 @@ where
     #[doc(hidden)]
     pub vaults: HashMap<String, Option<V>>,
     #[doc(hidden)]
-    pub users: UserStore,
-    #[doc(hidden)]
     pub _phantom: PhantomData<B>,
 
     /// Signal if the API handlers are allowed outside their working dir
     pub bound_scope: bool,
     /// Provide a working directory
     pub working_dir: PathBuf,
+    /// Completely disabe administrative actions
+    pub administrative: bool,
 }
 
 impl<B, V> ApiState<B, V>
@@ -88,7 +87,7 @@ where
             _phantom: PhantomData,
             bound_scope: true,
             vaults: HashMap::new(),
-            users: Default::default(),
+            administrative: false,
             ..Default::default()
         }
     }
@@ -97,7 +96,6 @@ where
 #[derive(Serialize, Deserialize)]
 struct SerializedState {
     vaults: Vec<String>,
-    users: Vec<User>,
 }
 
 impl AutoEncoder for SerializedState {}
@@ -112,7 +110,6 @@ where
     fn from(me: &'state ApiState<B, V>) -> Self {
         Self {
             vaults: me.vaults.iter().map(|(k, _)| k.clone()).collect(),
-            users: me.users.get_all().iter().map(|(_, v)| v.clone()).collect(),
         }
     }
 }
diff --git a/lockchain-server/src/main.rs b/lockchain-server/src/main.rs
index 8d3f3fd..1e4840f 100644
--- a/lockchain-server/src/main.rs
+++ b/lockchain-server/src/main.rs
@@ -14,11 +14,12 @@ fn main() {
     let state = ApiState::<EncryptedBody, DataVault<EncryptedBody>> {
         bound_scope: true,
         working_dir: ".".into(),
+
+        // This is a dangerous option
+        administrative: true,
         ..Default::default()
     };
 
     let server = create_server("localhost", "9999", state);
-    server.run();
-
-    // println!("After the server died!");
+    server.unwrap().run();
 }